基于无证书签名的抗DNS中间人攻击方案

doi:10.11959/j.issn.2096-109x.2021093

Abstract

Abstract:

Aiming at resisting the man-in-the-middle attacks in the domain name system protocol, a lightweight solution was proposed.The scheme introduced certificate less signature algorithm, removed the difficult-to-deploy trust chain to improve the efficiency and security of authentication.By using symmetric encryption technology, the proposed solution ensured the confidentiality of the message and increase the attack difficulty.The theoretical analysis proved the proposed scheme can resist common man-in-the-middle attacks.Experimental comparison results show the scheme has better performance than similar schemes.

Key words: domain name system, man-in-the-middle attacks, certificate less signature

CLC Number:

TP393

Yang HU, Zengjie HAN, Guohua YE, Zhiqiang YAO. Preventing man-in-the-middle attacks in DNS through certificate less signature[J]. Chinese Journal of Network and Information Security, 2021, 7(6): 167-177.

Figures/Tables 5

符号	含义
G	q阶椭圆曲线的循环群
P	群G生成元
s	主密钥
P_pub	系统公钥
IP_i	实体i的IP地址
t_i	时间戳
H₀	${0, 1}^{} \to Z_{q}^{}$
H₁	$G \times G \to Z_{q}^{*}$
H₂	$G \times {0, 1}^{} \to Z_{q}^{}$
H₃	${0, 1}^{} \times G \times G \times {0, 1}^{} \to Z_{q}^{*}$
K_i	会话密钥
σ_i	实体i的签名
⊕	异或运算

References 32

[1]	王文通, 胡宁, 刘波 ,等. DNS 安全防护技术研究综述[J]. 软件学报, 2020,31(7): 2205-2220.
	WANG W T , HU N , LIU B ,et al. Survey on technology of security enhancement for DNS[J]. Journal of Software, 2020,31(7): 2205-2220.
[2]	CONTI M , DRAGONI N , LESYK V . A survey of man in the middle attacks[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(3): 2027-2051.
[3]	HERZBERG A , SHULMAN H . Antidotes for DNS poisoning by off-path adversaries[C]// Proceedings of 2012 Seventh International Conference on Availability,Reliability and Security. Piscataway:IEEE Press, 2012: 262-267.
[4]	THOMAS M , MOHAISEN A . Kindred domains:detecting and clustering botnet domains using DNS traffic[C]// Proceedings of the 23rd International Conference on World Wide Web. 2014: 707-712.
[5]	ZHAO Y , HU N , ZHANG C ,et al. DCG:aclient-side protection method for DNS cache[J]. Journal of Internet Services and Information Security, 2020,10(2): 103-121.
[6]	EASTLAKE D , ANDREWS M . Domain name system (DNS) cookies[R]. RFC Editor, 2016.
[7]	EASTLAKE D , KAUFMAN C . Domain name system security extensions[R]. RFC Editor, 1997.
[8]	HERRMANN D , FUCHS K P , LINDEMANN J ,et al. EncDNS:A lightweight privacy-preserving name resolution service[M]. Computer Security-ESORICS 2014, 2014: 37-55.
[9]	BERNSTEIN D J . DNSCurve:usable security for DNS[EB]. 2009.
[10]	ZHU L , HU Z , HEIDEMANN J ,et al. Connection-oriented DNS to improve privacy and security[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 171-186.
[11]	ALI M , NELSON J , SHEA R ,et al. Blockstack:a global naming and storage system secured by blockchains[C]// Proceedings of 25th Usenix Security Symposium. 2016: 181-194.
[12]	CHETIOUI K , ORHANOU G , HAJJI S E . New protocol E-DNSSEC to enhance DNSSEC security[J]. International Journal of Network Security, 2018,20(1): 19-24.
[13]	DIFFIE W , HELLMAN M . New directions in cryptography[J]. IEEE Transactions on Information Theory, 1976,22(6): 644-654.
[14]	宋潇潇 . PKI技术在电子政务中的研究与应用[J]. 电子元器件与信息技术, 2019,3(3): 19-21,25.
	SONG X X . Research and application of PKI technology in E-government[J]. Electronic Component and Information Technology, 2019,3(3): 19-21,25.
[15]	SHAMIR A . Identity-based cryptosystems and signature schemes[M]// Advances in Cryptology. Berlin,Heidelberg: Springer Berlin Heidelberg, 1984: 47-53.
[16]	Al-RIYAMI S S , PATERSON K G . Certificateless public key cryptography[C]// Proceedings of 1st International Conference on Applied Cryptography and Network Security. 2003: 452-473.
[17]	LIU J K , AU M H , SUSILO W . Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model:extended abstract[C]// Proceedings of the 2nd ACM Symposium on Information,Computer and Communications Security. 2007: 273-283.
[18]	CHOI K Y , PARK J H , HWANG J Y ,et al. Efficient certificateless signature schemes[M]// Applied Cryptography and Network Security. Berlin,Heidelberg: Springer, 2007: 443-458.
[19]	XIONG H , QIN Z , LI F . An improved certificateless signature scheme secure in the standard model[J]. Fundamental Informaticae, 2008,88(1): 193-206.
[20]	HE D , CHEN J , ZHANG R . An efficient and provably-secure certificateless signature scheme without bilinear pairings[J]. International Journal of Communication Systems, 2012,25(11): 1432-1442.
[21]	TSAI J L , LO N W , WU T C . Weaknesses and improvements of an efficient certificateless signature scheme without using bilinear pairings[J]. International Journal of Communication Systems, 2014,27(7): 1083-1090.
[22]	ISLAM S H , BISWAS G P . Provably secure and pairing-free certificateless digital signature scheme using elliptic curve cryptography[J]. International Journal of Computer Mathematics, 2013,90(11): 2244-2258.
[23]	TIWARI N . On the security of pairing-free certificateless digital signature schemes using ECC[J]. ICT Express, 2015,1(2): 94-95.
[24]	YEH K H , SU C H , CHOO K K Raymond ,et al. A novel certificateless signature scheme for smart objects in the Internet of things[J]. Sensors (Basel,Switzerland), 2017,17(5): 1001.
[25]	WU F , XU L L , KUMARI S ,et al. A new and secure authentication scheme for wireless sensor networks with formal proof[J]. Peer-to-Peer Networking and Applications, 2017,10(1): 16-30.
[26]	WANG D , LI W T , WANG P . Measuring two-factor authentication schemes for real-time data access in industrial wireless sensor networks[J]. IEEE Transactions on Industrial Informatics, 2018,14(9): 4081-4092.
[27]	SAEED M E S , LIU Q Y , TIAN G Y ,et al. Remote authentication schemes for wireless body area networks based on the internet of things[J]. IEEE Internet of Things Journal, 2018,5(6): 4926-4944.
[28]	汪定, 李文婷, 王平 . 对三个多服务器环境下匿名认证协议的分析[J]. 软件学报, 2018,29(7): 1937-1952.
	WANG D , LI W T , WANG P . Crytanalysis of three anonymous authentication schemes for multi-server environment[J]. Journal of Software, 2018,29(7): 1937-1952.
[29]	HUANG X Y , MU Y , SUSILO W ,et al. Certificateless signatures:new schemes and security models[J]. The Computer Journal, 2011,55(4): 457-474.
[30]	KARATI A , HAFIZUL ISLAM S , BISWAS G P . A pairing-free and provably secure certificateless signature scheme[J]. Information Sciences, 2018,450: 378-391.
[31]	PAKNIAT N , VANDA B A . Cryptanalysis and improvement of a pairing-free certificateless signature scheme[C]// Proceedings of 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC). Piscataway:IEEE Press, 2018: 1-5.
[32]	DENG L Z , YANG Y X , GAO R H ,et al. Certificateless short signature scheme from pairing in the standard model[J]. International Journal of Communication Systems, 2018,31(17): e3796.

Metrics

Recommended 0

No Suggested Reading articles found!

方案	签名算法	验证算法	总开销（T_m）	第一类攻击者	第二类攻击者
文献[30]	T _sm+T _inv	6T_sm	≈214.60	不安全	不安全
文献[31]	T _sm+T _inv	6T_sm	≈214.60	不安全	不安全
文献[32]	T _sm+T _inv	2T_sm+T_par	≈185.60	安全	不安全
本文方案	T_sm+T_h	2 T _sm+T_h	≈203.00	安全	安全

方案	源身份认证	保密性	恶意KGC攻击
DNSSEC^[7]	是	否	不安全
DNSCurve^[9]	是	是	不安全
E-DNSSEC^[12]	是	是	不安全
本文方案	是	是	安全

Preventing man-in-the-middle attacks in DNS through certificate less signature

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 32

Related Articles 2

Metrics

Recommended 0

[1]	Cui-cui WANG,Zhi-wei YAN,Guang-gang GENG. Internet naming and addressing system security technology and application analysis [J]. Chinese Journal of Network and Information Security, 2017, 3(3): 34-42.
[2]	Chuan GUO,Feng LENG. Analysis of problems in the DNSSEC automation deployment [J]. Chinese Journal of Network and Information Security, 2017, 3(3): 58-63.